Comments (5)
There are a few ways to deal with this.
One option is to modify openldap_password
to take additional values to use when generating the salt. Another option is to modify openldap_password
to take a salt directly and require the user to handle salt generation (maybe with fqdn_rand_string
, assuming that gets accepted into stdlib). I'm not particularly fond of those solutions, though.
The best option, IMO, is to get rid of openldap_password
entirely and fold it into the openldap_database
type, since as far as I can tell that's the only place it's useful (please correct me if I'm wrong here). Since the types have access to the current hash values, if provided with plaintext passwords, they can check to see if the current hash is valid for the password by writing a custom insync?
method. If not, the plaintext password can be hashed with a salt generated using SecureRandom#random_bytes(4)
. Printing of the salts to the log can be prevented by writing custom is_to_s
and should_to_s
methods. See the user type for an example of this. Another parameter could be added to indicate what sort of hash to generate, maybe hash_type
, which I recommend only supporting the values SSHA
and none
, the latter being provided if the user wanted to provide their own pre-hashed password for whatever reason.
Thoughts?
from puppet-openldap.
Pinging @mcanevet to make sure my comment was seen. Sorry if you already read this.
from puppet-openldap.
Integrating this into the provider seems like a good idea to me.
from puppet-openldap.
@elyscape looks like a good idea. I may not have much time to code this in the nexts few days, so a PR would be great.
from puppet-openldap.
I'm a bit busy myself, but I'll take a look and see what I can do. In the meantime, it might be a good idea to push out a point release reverting the 4b2f0b2.
from puppet-openldap.
Related Issues (20)
- openldap::server::overlay does not allow tuples as options HOT 2
- [poll] What to do with the islast parameter of openldap_access?
- openldap::server::database initdb data type should support value false
- `$openldap::server::database::mirrormode` does not enable olcMirrorMode
- openldap::server::overlay incorrectly parses suffix HOT 5
- openldap::server::dbindex is missing documentation HOT 3
- Unable to configure openldap on FreeBSD 13.0-RELEASE HOT 5
- Wrong data type for `$openldap::server::database::limits`
- LDIF mangling is in schema provider does not handle LDIF line wrapping correctly HOT 1
- Data type enforcement for openldap_database security is not idempotent HOT 1
- dc=my-domain,dc=com entry in Database HOT 3
- Inconsistent parameters for `openldap::client`
- Version 6.1.0 breaks disabling nonexistent services HOT 3
- cn=accesslog database: Parameter suffix failed
- Parameter suffix failed, because of too restrictive patterns in openldap/lib/puppet/type/openldap_database.rb HOT 2
- No parameter named 'multiprovider' HOT 4
- no parameter named 'multiprovider' HOT 3
- Cannot ensure: absent on dbindex
- acls with identical access definitions are not implemented correctly
- Unable to configure hashing with the pw-pbkdf2 module
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppet-openldap.